Researcher Hacked Mozilla Firefox in just 8 seconds


Security researcher Manfred Paul hacked Mozilla Firefox in just 8 seconds as part of the Pwn2Own Vancouver 2022 hacking competition, which ended last Friday.

During the attack, Paul used exploits for two previously unknown vulnerabilities, for which he received a prize of $ 100 thousand. Later that day, he won another $50,000 for discovering a previously unknown vulnerability in Apple Safari.

CVE-2022-1802 – vulnerability of JavaScript prototype pollution in the implementation of Top-Level Await. Allows attackers who have compromised an array in JavaScript to execute code in a privileged context.

CVE-2022-1529 – the use of untrusted incoming data in indexing JavaScript objects, which leads to prototype pollution. An attacker can send “a message to the parent process, the contents of which are used for double indexing into a JavaScript object.” As a result, this leads to prototype pollution, as described above.

Fortunately, the Mozilla Foundation reacted with lightning speed to the discovery of the Floor and immediately released emergency fixes. Since the Firefox browser is updated automatically in the background, patches have already been delivered to almost all users.

Corrected versions:

Firefox v100.0.2 for desktop computers;

Firefox v100.3.0 for Android;

Firefox v91.9.1 for corporate clients with extended support.

Start a discussion …